Saturday, April 9, 2011

Developing an effective incident response procedure is crucial to minimizing the impact of a security breach or DDoS attack. A good incident response plan not only helps secure the impacted infrastructure, but can also increase consumer loyalty. The recent DDoS attack on LiveJournal clearly required the use of public relations techniques, which did not appear to happen in time.

In the absence of information, the rumour mill will take over. Instead, an immediate and honest statement should clarify known details, and the information be frequently updated. The organisation must demonstrate commitment and this will be appreciated by its customers. In case certain information cannot be released it is important to offer an explanation. By doing this the organisation appear responsive and cooperative even if not a great deal of information has been released.

The organisation also must educate all employees on use of social media during the crisis and monitor Twitter, MySpace, Facebook and other social sites. Tracking and quickly responding to the relevant conversations should help uncovering and defusing any potential crises-in-the-making.

While no organisation is immune to similar incidents, this does not necessarily have to turn into a disaster.

Saturday, April 2, 2011

VMware VMFS is VMware Virtual Machine File System with is used by VMware ESX and ESXI servers to store virtual machine disk images (.VMDK) and snapshots. The VMDK (Virtual Machine Disk) files are equivalent to the real hard drives, except they are virtual. Many forensic tools, including EnCase can analyse VMware (.vmdk) data files or mount them (FTK Imager, Mount Imager Pro etc.). The problem is getting VMDK files out of VMFS without ESX or ESXI infrastructure. There are several solutions to this problem.

Open Source VMFS Driver was written by fluidOps in Java; it's free and allows read-only access to files located on VMFS partitions by utilising many operating systems including Windows. Java version 6 is required to run it. All you needed is to mount E01 image containing VMFS partition with your favourite tool. I used to love Mount Image Pro and Smart Mount, but people change. I am using FTK Imager v3 now for obvious reasons; it doesn't cost me anything and no pain with dongles or registrations.

Mount TYPE is PHYSICAL.

Running the following command should get you into the partition via webdav interface C:\vmfs_r95>java -jar fvmfs.jar \\.\PhysicalDrive4 webdav

The world isn't perfect though and you may run into a couple of problems:

Problem 1:You may get an error similar to this:Exception in thread "main" java.io.IOException: VMFS FDC base not foundat com.fluidops.tools.vmfs.VMFSDriver.openVmfs(VMFSDriver.java:1180)at com.fluidops.tools.vmfs.VMFSTools.cli(VMFSTools.java:225)at com.fluidops.tools.vmfs.VMFSTools.main(VMFSTools.java:492)

Problem 2:There are several partitions inside your E01 image; some of them could be FAT12 "Hypervisor" partitions, which is enough for fluidOps driver to give up on you.

There are several ways of getting inside however. In my case I happened to have VMware Workstation installed on my machine and one of the guest OS was Ubuntu 10.10. I have added Hard Disk (PhysicalDrive4) to my Linux guest OS and started it.

vmfs-tools is yet another tool, which is "originally loosely based on the vmfs code from fluidOps" and allows read only access to VMFS file systems from non ESX/ESXi hosts.

In Linux I installed vmfs-tools by running: sudo apt-get install vmfs-tools and typed the following command: sudo fdisk –l

The above shows that the vmfs file system is located on /dev/sdb3

The next command is to mount VMware VMFS partition: mkdir /home/a/Desktop/system and vmfs-fuse /dev/sdb3 /home/a/Desktop/systemand see what's inside.... ls -alh

I then connected (1TB USB Seagate Freeagent GO) to the virtual machine and copied the files for further analysis. DONE.

Search other Digital Forensics blogs

About Me

Forensic Technology professional with diverse international experience managing and conducting Digital Investigations in both large and small organisations. A passionate computer security and digital forensics professional.

Disclaimer

This blog is intended for my digital forensic needs and shared with everyone interested to make our world a little bit safer. This is a personal weblog. The opinions expressed here represent my own and not those of my employer.
While all reasonable attempts have been made to ensure the accuracy of information on this blog, neither myself nor the blog’s contributors can be held responsible for any errors, inaccuracies, or incomplete information contained therein.
I reserve the right to correct, change, or update any information on this blog at any time without prior notice.